Categories

Youtube Hit with HTML Injection Attack

YouTube is reported to have been hit by hackers. They have exploited a loophole in the way YouTube lets users post comments. More information can be found in the Google Support Forum and on Slashdot.

Analysis
It seems that when someone places a piece of JavaScript in the comment section, beginning with the <script> tag, YouTube’s comment sanitization policy correctly escapes the <script> tag itself. Unfortunately, the data which follows this tag is not removed, but is displayed on the screen. This allows a clever hacker to inject HTML directly into the page, modifying the page itself and allowing all types of security issues.

This incident highlights the impact of security issues like Cross Site Scripting (XSS). These vulnerabilities should not be treated lightly, since a Web Application Filter (WAF) cannot protect you from new attacks like this one. WAFs can only protect you from what they already know.

About stopthehacker.com
At stopthehacker.com, we work hard to help you combat attacks by malicious hackers. If you would like to work with us, please drop us an email. You can also visit our services page to find out how we can help you. In fact, you can even sign up for our Free Blacklist Monitoring service!